Solved: Re: Query on the reporting of Cisco WSA

mehedimec · ‎11-09-2019

Hi,

We deployed cisco wsa S600v in monitoring mode few months ago. After monitoring the report of the Anti-Malware in GUI, we found some malware threats. We do not find any details and characteristics of the following malware /virus/ PUA in internet or sophos documentation:

Mal.Gen.IX , Mal.Gen.KD , Mal.Gen.KA, Mal.Gen.KB, Mal.Gen.IV, Mal.Gen.JN, Mal.Gen.JB, Mal.Gen.JC, Mal.Gen.JM
App/AdvMac-P etc.

How can i get information of the types and characteristics of these?

Second thing is, in the web reputation filtering, we found some Botnets are blocked by WBRS. I would like to know the details about the detection principal of the Botnet in WSA. Is there any way to get the types, names, IPs associated with or any other specific details about the detected botnets. Moreover is it use any Botnet traffic filter as like ASA as mentioned in https://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asa-botnet.html?

Another query is, according to the web reputation filter at default settings it should allow the traffic having the reputation score between 6 to 10 without any scan. But we found that a lot of transactions were scanned further and many of them are detected as malware. What is the reason behind it?

Thanks in advance.

shgrover · ‎12-29-2019

Hello mehedimec,

These are how webroot maintains a database of malware signatures they find. Webroot uses these names for generic malware and malicious URL’s and do not indicate any specific type of malware. When new generic malware definitions are created, an incremental suffix is added, so the difference between .IX and .IV is when the definitions were created.

Whole of WBRS engine is managed by TALOS. TALOS assigns a WBRS score to URL's etc.

Web Reputation Filters use data to assess the reliability of Internet domains and score the reputation of URLs.
The web reputation calculation associates a URL with network parameters to determine the probability that
malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation Score
between -10 and +10, with +10 being the least likely to contain malware.
Example parameters include the following:
• URL categorization data
• Presence of downloadable code
• Presence of long, obfuscated End-User License Agreements (EULAs)
• Global volume and changes in volume
• Network owner information
• History of a URL
• Age of a URL
• Presence on any block lists
• Presence on any allow lists
• URL typos of popular domains
• Domain registrar information
• IP address information
Note Cisco does not collect identifiable information such as user names, passphrases, or client IP addresses.

TALOS is not just confined to above. It has many more ways to classify the domains. The above are just a few example to give you an idea.

If a URL reputation score between 6 to 10 and if antimalware engine is enabled, scanning will happen. If you check on the access polices and click the last engine " web reputation and antimalware, it clearly states:-

Web Reputation Filters will automatically block transactions with a low Web Reputation score. For transactions with a higher Web Reputation score, scanning will be performed using the services selected by Adaptive Scanning.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

shgrover · ‎12-29-2019

Hello mehedimec,

These are how webroot maintains a database of malware signatures they find. Webroot uses these names for generic malware and malicious URL’s and do not indicate any specific type of malware. When new generic malware definitions are created, an incremental suffix is added, so the difference between .IX and .IV is when the definitions were created.

Whole of WBRS engine is managed by TALOS. TALOS assigns a WBRS score to URL's etc.

Web Reputation Filters use data to assess the reliability of Internet domains and score the reputation of URLs.
The web reputation calculation associates a URL with network parameters to determine the probability that
malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation Score
between -10 and +10, with +10 being the least likely to contain malware.
Example parameters include the following:
• URL categorization data
• Presence of downloadable code
• Presence of long, obfuscated End-User License Agreements (EULAs)
• Global volume and changes in volume
• Network owner information
• History of a URL
• Age of a URL
• Presence on any block lists
• Presence on any allow lists
• URL typos of popular domains
• Domain registrar information
• IP address information
Note Cisco does not collect identifiable information such as user names, passphrases, or client IP addresses.

TALOS is not just confined to above. It has many more ways to classify the domains. The above are just a few example to give you an idea.

If a URL reputation score between 6 to 10 and if antimalware engine is enabled, scanning will happen. If you check on the access polices and click the last engine " web reputation and antimalware, it clearly states:-

Web Reputation Filters will automatically block transactions with a low Web Reputation score. For transactions with a higher Web Reputation score, scanning will be performed using the services selected by Adaptive Scanning.

Regards

Shikha Grover

PS: Please don't forget to rate and select as validated answer if this answered your question